Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21389
HistoryFeb 26, 2009 - 12:00 a.m.

[BMSA-2009-03] Multiple vulnerabilities in OpenSite v2.1

2009-02-2600:00:00
vulners.com
53
JSON

BLUE MOON SECURITY ADVISORY 2009-03

:Title: Multiple vulnerabilities in OpenSite v2.1
:Severity: Critical
:Reporter: Blue Moon Consulting
:Products: OpenSite v2.1
:Fixed in: to be fixed in 3.0

Description

OpenSite is an Open Source Content Management System powered by PHP5 and MySQL 4 and is extremely
simple and lightweight.

We have discovered six vulnerabilities in OpenSite from authentication bruteforce to SQL injection.
Except the first vulnerability rated at critical severity, the rest is of low severity.

  1. Weakened authentication.

The function ``init`` in ``origin/libs/user.php`` checks for a matching ``origin_hash`` cookie.
However, this cookie can be bruteforced in at most 2^32 tries for a known username. In reality, the
number of attempts could be greatly reduced knowing that we do not have to check for time in the
future, and long past.

  1. Special characters such as quotes, double quotes, backslashes in password prevent users from
    logging in.

In ``modules/userregister/index.php``, the argument passed to ``$user->register`` contains and
escaped ``$_POST['password']``. In ``origin/libs/user.php``, this password is hashed with ``sha1``.
However, the function ``login`` does not escape the POST data before hashing it, causing
inconsistency.

  1. Double escapes in user registraion.

In ``origin/libs/user.php``, the register function escapes all key=>value pairs before inserting
them into the database. However, ``username``, ``password``, and ``email`` have been escaped before
being passed to this function. Therefore they are escaped twice.

  1. SQL injection in admincp/includes/functions.php.

SQL injection in function ``haspermission``. The parameters ``$module`` and ``$section`` are not
escaped. This function is called in ``admincp/usergroups.php``.

  1. SQL injection in ``admincp/settings.php``.

SQL injection in processing ``$_POST['do'] == "save"``. The POST data ``settings`` are not properly
escaped before saving.

  1. SQL injection in ``admincp/usergroups.php``.

SQL injection in all permissions select command ``SELECT id,module,section,groups FROM permissions
WHERE module='".$module."' AND section='".$section."' LIMIT 1"``. The POST data ``permissions`` are
not properly escaped before use.

Workaround

There is no workaround.

Fix

These bugs are planned to be fixed in OpenSite v3.0.

Disclosure

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html&gt;&#96;_ in notifying
vendors.

:Initial vendor contact:

February 24, 2009: Initial contact sent to Jack Polgar.

:Vendor response:

February 24, 2009: Jack replied asking for technical details.

:Further communication:

February 24, 2009: Technical details were sent to Jack, and confirmation was requested.

February 24, 2009: Jack confirmed all problems and stated "most or all of them will be fixed in
the next release".

February 24, 2009: Prepared advisory is sent to Jack to co-ordinate the public release.

:Public disclosure: February 25, 2009

:Exploit code: No exploit code is provided.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Blue
Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the
warranties of merchantability and fitness for a particular purpose. Your use of the information on
the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co.,
Ltd reserves the right to change or update this notice at any time.

Cheers

Nam Nguyen
Blue Moon Consulting Co., Ltd
http://www.bluemoon.com.vn

JSON